This week, the U.S. Securities and Exchange Commission (SEC) released new guidance on cyber security risk and incident disclosures (the most notable change in its cyber security guidance since 2011). While its significance is debated even inside the SEC, the guidance should facilitate a shift that pushes public companies to put stringent policies in place that prevent insider trading following a cyber security incident and to be transparent about their cyber risk, allowing investors to make well-informed decisions.
While Release No. 33-10459 doesn’t name any names, it’s hard to ignore the fact that it was published so soon after the Equifax breach. Many believe the company took too long to disclose the incident, which impacted more than 145.5 million people, to the public, and it appears that some corporate insiders may have been selling shares before the breach was public knowledge (this is still under investigation).
Regardless of whether the Equifax breach was the catalyst for this new publication, security incidents are a risk that nearly every company is facing, and an organization’s strategy for managing that risk plays a significant role in the company’s success. The SEC’s push to provide more transparency here is much needed.
There are two big takeaways for public companies in this new guidance. In this post, we’ll break these down, dive into the additional information now required in disclosures, and what your company should do now to stay aligned with the SEC.
Two Big Updates from the SEC and Their Impact on Your Company
This new guidance adds two key requirements to the SEC’s cyber security disclosure guidance from 2011.
1. Public companies need to have comprehensive cyber security policies for timely cyber risk and incident disclosures in place.
The new guidance requires public companies to build policies that set up tight controls and procedures for disclosing risks and incidents in a timely fashion. The guidance offers very specific elements to be included in these disclosure policies.
- Disclosure must be done in a timely manner. Time and time again, the SEC guidance emphasizes that risks and incidents must be reported as soon as possible to prevent insider trading, to provide potential investors with the information they need, and to be transparent with customers. The SEC also notes that an internal investigation or external investigation (i.e., by law enforcement) are not reasons to withhold disclosure. While investigations may limit what is safe to disclose, companies are still obligated to provide the public with some level of information.
- Disclosure must be detailed and accurate. The new publication makes the point that disclosure should not be a “generic cybersecurity-related disclosure” and should provide investors with the specific details they need to make informed decisions. So how should you decide what is disclosed in these notices? Here are a few items the SEC recommends you consider when preparing to disclose cyber risk information:
- Any prior incidents, including their severity and frequency
- The probability of occurrence and the magnitude of the impact
- What preventative measures are being taken to reduce risk and the cost of these actions
- Company operations that present cyber security risks, including industry-specific, third-party-supplier, and service-provider risks
- The costs of protection, including cyber insurance and related service providers
- Reputational harm
- Requirements in existing or pending cyber security laws
- And the cost of litigation, investigations, and remediation
These factors all revolve around the impact a risk could have on investors’ decisions. As for disclosing an incident, companies should consider the importance of the compromised data and its impact on company operations.
- Disclosure should not put the company at greater risk. This may feel a little obvious, but disclosure should never include so much detail that it compromises the company’s cyber security efforts. The SEC is clear that it does not want disclosure to give would-be attackers a guide to infiltrate your defenses or to provide technical details around systems, networks and devices, or system vulnerabilities. Instead, disclosure should focus on providing investors with information on the related financial, legal, and reputational consequences of certain risks or incidents.
2. Public companies should have policies and procedures in place that prevent executives and corporate insiders from trading in securities while possessing non-public information on cyber security risks or attacks.
This point applies to directors, officers, and other corporate insiders and places responsibility on the company to put measures in place that prevent insider trading. Timely disclosures shorten the period of time between discovery and public disclosure, limiting the amount of insider trading that can be done, but specific policies and controls should be in place that prohibit insider trading prior to disclosure. Policies should also be developed to ensure there is a sufficient amount of time between disclosure and the sale of securities.
The New Guidance Requires More Information in Disclosures
Under the new guidance from the SEC, disclosures in your 10-K and related documentation require additional information, specifically in areas like legal proceedings, financial statements, and board oversight.
Management Discussion and Analysis (MD&A)
When reporting on financial conditions and the year’s operations, the new guidance requests information on the following:
- The cost of cyber security efforts
- The consequences of any cyber security incidents
- The risks of potential incidents
Description of Business
Any cyber security incidents or material risks that had an impact on company products, services, or relationships must be disclosed.
Any incidents or risks that may impact your company’s financial statements must be disclosed. Examples include:
- Expenses related to investigations, litigation, or other professional services following an incident
- Loss of revenue (including the loss of reputational value, like the loss of customer trust and relationships)
- Claims related to warranties, breach of contract, or insurance premium increases
- Impairment of intellectual, intangibles, or other assets; increases in liabilities; or other costs
The board’s role in overseeing the management of cyber security risks must be included in Item 407(h) of Regulation S-K and Item 7 of Schedule 14A.
The CEO and CFO must make certifications of the design and effectiveness of disclosure controls and procedures, according to Exchange Act Rules 13a-14 and 15d-14, which now require certifications around controls for identifying cyber security risks and incidents.
The new SEC guidance places a heavy emphasis on the importance of cyber security policies in disclosing cyber risk and incidents and how they can play a role in preventing insider trading. This new guidance presents an excellent opportunity to evaluate your current policies and procedures related to disclosure and determine if updates are needed.
Focal Point has a team of cyber experts well-versed in the SEC’s guidance, SOX compliance, and industry regulations, laws, and best practices and can help your organization identify opportunities to improve policies, implement stronger controls, and integrate better disclosure processes.